step-security/harden-runner stops npm install

[wallies]

In one of my github actions i setup 9b0655f # v1 with audit egress policy. I was using https://github.com/wallies/action-netlify-deploy to setup my netlify previews. The issue was when it came to install my dependencies via npm ci or npm install it would just hang. I removed step-security/harden-runner step and everything worked. Im using node lts 16.14

[varunsh-coder]

Sorry to hear that @wallies. I am trying to repro it, but not able to. I suspect it might be something specific to the workflow. In your workflow, can you please follow these steps to help troubleshoot:

1. After the npm install hangs
2. Cancel the workflow
3. Look in the build log for the Post harden runner step. This should be the last step in the job. If harden-runner is not working as expected, it will publish an error message.

Please share that error message. That should help troubleshoot the issue. Thanks!

[varunsh-coder]

I did notice that the action-netlify-deploy step takes about 30 seconds before the logs appear, because it installs netlifycli, so if there is no error in the Post harden runner step, it could just be that the action-netlify-deploy step needs more time to run...

[wallies]

I did notice that the action-netlify-deploy step takes about 30 seconds before the logs appear, because it installs netlifycli, so if there is no error in the Post harden runner step, it could just be that the action-netlify-deploy step needs more time to run...

Thanks for trying to reproduce @varunsh-coder. It's the weirdest thing no errors at all. Normally without the hardener step at the start the build takes 5 to 6 minutes. Yet with it there it just hangs. I will try to get more output today. It works on all my other repos and jobs and this isn't doing anything special and I only have the hardener on audit so shouldn't block

[wallies]

I tried this again with ACTIONS_RUNNER_DEBUG. Still nothing, below is the build output from npm ci. The cancel is after 15 minutes. The install usually takes no longer than 5.

Installing dependencies via npm ci --no-optional --verbose
npm verb cli [
npm verb cli   '/github/home/.nvm/versions/node/v16.13.0/bin/node',
npm verb cli   '/github/home/.nvm/versions/node/v16.13.0/bin/npm',
npm verb cli   'ci',
npm verb cli   '--no-optional',
npm verb cli   '--verbose'
npm verb cli ]
npm info using [email protected]
npm info using [email protected]
npm timing npm:load:whichnode Completed in 0ms
npm timing config:load:defaults Completed in 1ms
npm timing config:load:file:/github/home/.nvm/versions/node/v16.13.0/lib/node_modules/npm/npmrc Completed in 1ms
npm timing config:load:builtin Completed in 2ms
npm verb config optional Use `--omit=optional` to exclude optional dependencies, or
npm verb config `--include=optional` to include them.
npm verb config 
npm verb config     Default value does install optional deps unless otherwise omitted.
npm timing config:load:cli Completed in 2ms
npm timing config:load:env Completed in 0ms
npm timing config:load:file:/github/workspace/.npmrc Completed in 0ms
npm timing config:load:project Completed in 1ms
npm timing config:load:file:/github/home/.npmrc Completed in 0ms
npm timing config:load:user Completed in 0ms
npm timing config:load:file:/github/home/.nvm/versions/node/v16.13.0/etc/npmrc Completed in 1ms
npm timing config:load:global Completed in 1ms
npm timing config:load:validate Completed in 0ms
npm timing config:load:credentials Completed in 1ms
npm timing config:load:setEnvs Completed in 1ms
npm timing config:load Completed in 9ms
npm timing npm:load:configload Completed in 9ms
npm timing npm:load:setTitle Completed in 0ms
npm timing npm:load:setupLog Completed in 0ms
npm timing config:load:flatten Completed in 3ms
npm timing npm:load:cleanupLog Completed in 2ms
npm timing npm:load:configScope Completed in 0ms
npm timing npm:load:projectScope Completed in 1ms
npm timing npm:load Completed in 19ms
npm timing arborist:ctor Completed in 1ms
npm timing npm-ci:rm Completed in 4ms
npm timing idealTree:init Completed in 2ms
npm timing idealTree:userRequests Completed in 1ms
npm timing idealTree:#root Completed in 1ms
npm timing idealTree:buildDeps Completed in 1ms
npm timing idealTree:fixDepFlags Completed in 0ms
npm timing idealTree Completed in 20ms
npm timing reify:loadTrees Completed in 36ms
npm timing reify:diffTrees Completed in 71ms
npm timing reify:retireShallow Completed in 1ms
Error: The operation was canceled.

[varunsh-coder]

@wallies sorry to hear it is still not working. For me to repro it, so I can try to understand the issue, would it be possible for you to share the package.json and package-lock.json with me? Feel free to email the files to me if you prefer that.

[varunsh-coder]

updating this issue: I found the root cause and the fix has been tested. Should be released early next week. File monitoring was causing the job to slow down due to lot of lchown requests. After the fix, agent will only monitor for specific syscalls that are needed.

[varunsh-coder]

Hi @wallies, this should be fixed. Can you please verify with the latest tag - 248ae51c2e8cc9622ecf50685c8bf7150c6e8813? Thanks!